prvng_platform/control-center/policies/time-based-access.cedar

// Time-Based Access Control Policy
// Restricts access based on time of day, day of week, and business hours
// Compliance: Least Privilege, Temporal Security Controls

// Standard business hours access
permit(
    principal,
    action,
    resource
) when {
    // Business hours: Monday-Friday 8 AM to 6 PM
    context.time.hour >= 8 &&
    context.time.hour < 18 &&
    context.time.day_of_week >= 1 &&
    context.time.day_of_week <= 5 &&
    principal has role &&
    principal.role in ["Employee", "Contractor", "Manager", "Developer"]
};

// Extended access for IT operations team
permit(
    principal,
    action,
    resource
) when {
    // Extended hours: Monday-Friday 6 AM to 10 PM
    context.time.hour >= 6 &&
    context.time.hour < 22 &&
    context.time.day_of_week >= 1 &&
    context.time.day_of_week <= 5 &&
    principal has role &&
    principal.role in ["ITOps", "SRE", "SystemAdmin", "SecurityAnalyst"]
};

// 24/7 access for critical support roles
permit(
    principal,
    action,
    resource
) when {
    principal has role &&
    principal.role in ["OnCallEngineer", "IncidentManager", "SecurityOfficer", "MonitoringService"] &&
    principal has on_call_status &&
    principal.on_call_status.active == true
};

// Weekend access with approval
permit(
    principal,
    action,
    resource
) when {
    (context.time.day_of_week == 0 || context.time.day_of_week == 6) && // Saturday or Sunday
    principal has weekend_access &&
    principal.weekend_access.approved == true &&
    principal.weekend_access.expires_at > context.time.timestamp &&
    principal.weekend_access.justification != ""
};

// Holiday access restrictions
forbid(
    principal,
    action,
    resource
) when {
    context has holiday &&
    context.holiday.is_company_holiday == true &&
    resource has criticality &&
    resource.criticality in ["low", "medium"] &&
    !(principal has holiday_override) &&
    !(principal has role && principal.role in ["OnCallEngineer", "SecurityOfficer"])
};

// After-hours sensitive resource access
permit(
    principal,
    action,
    resource
) when {
    resource has sensitivity &&
    resource.sensitivity == "high" &&
    (
        context.time.hour < 8 ||
        context.time.hour >= 18 ||
        context.time.day_of_week == 0 ||
        context.time.day_of_week == 6
    ) &&
    principal has after_hours_approval &&
    principal.after_hours_approval.granted == true &&
    principal.after_hours_approval.expires_at > context.time.timestamp &&
    principal.after_hours_approval.supervisor_approval == true
};

// Time zone considerations for global teams
permit(
    principal,
    action,
    resource
) when {
    principal has time_zone &&
    context has user_local_time &&
    // Allow access during user's local business hours
    context.user_local_time.hour >= 8 &&
    context.user_local_time.hour < 18 &&
    context.user_local_time.day_of_week >= 1 &&
    context.user_local_time.day_of_week <= 5 &&
    principal has global_access &&
    principal.global_access.authorized == true
};

// Emergency access time override
permit(
    principal,
    action,
    resource
) when {
    principal has emergency_access &&
    principal.emergency_access.active == true &&
    principal.emergency_access.expires_at > context.time.timestamp &&
    principal.emergency_access.incident_level in ["critical", "high"] &&
    principal.emergency_access.authorized_by in ["IncidentCommander", "CISO", "CTO"]
};
core: init repo and codebase 2025-10-07 10:59:52 +01:00			`// Time-Based Access Control Policy`
			`// Restricts access based on time of day, day of week, and business hours`
			`// Compliance: Least Privilege, Temporal Security Controls`

			`// Standard business hours access`
			`permit(`
			`principal,`
			`action,`
			`resource`
			`) when {`
			`// Business hours: Monday-Friday 8 AM to 6 PM`
			`context.time.hour >= 8 &&`
			`context.time.hour < 18 &&`
			`context.time.day_of_week >= 1 &&`
			`context.time.day_of_week <= 5 &&`
			`principal has role &&`
			`principal.role in ["Employee", "Contractor", "Manager", "Developer"]`
			`};`

			`// Extended access for IT operations team`
			`permit(`
			`principal,`
			`action,`
			`resource`
			`) when {`
			`// Extended hours: Monday-Friday 6 AM to 10 PM`
			`context.time.hour >= 6 &&`
			`context.time.hour < 22 &&`
			`context.time.day_of_week >= 1 &&`
			`context.time.day_of_week <= 5 &&`
			`principal has role &&`
			`principal.role in ["ITOps", "SRE", "SystemAdmin", "SecurityAnalyst"]`
			`};`

			`// 24/7 access for critical support roles`
			`permit(`
			`principal,`
			`action,`
			`resource`
			`) when {`
			`principal has role &&`
			`principal.role in ["OnCallEngineer", "IncidentManager", "SecurityOfficer", "MonitoringService"] &&`
			`principal has on_call_status &&`
			`principal.on_call_status.active == true`
			`};`

			`// Weekend access with approval`
			`permit(`
			`principal,`
			`action,`
			`resource`
			`) when {`
			`(context.time.day_of_week == 0 \|\| context.time.day_of_week == 6) && // Saturday or Sunday`
			`principal has weekend_access &&`
			`principal.weekend_access.approved == true &&`
			`principal.weekend_access.expires_at > context.time.timestamp &&`
			`principal.weekend_access.justification != ""`
			`};`

			`// Holiday access restrictions`
			`forbid(`
			`principal,`
			`action,`
			`resource`
			`) when {`
			`context has holiday &&`
			`context.holiday.is_company_holiday == true &&`
			`resource has criticality &&`
			`resource.criticality in ["low", "medium"] &&`
			`!(principal has holiday_override) &&`
			`!(principal has role && principal.role in ["OnCallEngineer", "SecurityOfficer"])`
			`};`

			`// After-hours sensitive resource access`
			`permit(`
			`principal,`
			`action,`
			`resource`
			`) when {`
			`resource has sensitivity &&`
			`resource.sensitivity == "high" &&`
			`(`
			`context.time.hour < 8 \|\|`
			`context.time.hour >= 18 \|\|`
			`context.time.day_of_week == 0 \|\|`
			`context.time.day_of_week == 6`
			`) &&`
			`principal has after_hours_approval &&`
			`principal.after_hours_approval.granted == true &&`
			`principal.after_hours_approval.expires_at > context.time.timestamp &&`
			`principal.after_hours_approval.supervisor_approval == true`
			`};`

			`// Time zone considerations for global teams`
			`permit(`
			`principal,`
			`action,`
			`resource`
			`) when {`
			`principal has time_zone &&`
			`context has user_local_time &&`
			`// Allow access during user's local business hours`
			`context.user_local_time.hour >= 8 &&`
			`context.user_local_time.hour < 18 &&`
			`context.user_local_time.day_of_week >= 1 &&`
			`context.user_local_time.day_of_week <= 5 &&`
			`principal has global_access &&`
			`principal.global_access.authorized == true`
			`};`

			`// Emergency access time override`
			`permit(`
			`principal,`
			`action,`
			`resource`
			`) when {`
			`principal has emergency_access &&`
			`principal.emergency_access.active == true &&`
			`principal.emergency_access.expires_at > context.time.timestamp &&`
			`principal.emergency_access.incident_level in ["critical", "high"] &&`
			`principal.emergency_access.authorized_by in ["IncidentCommander", "CISO", "CTO"]`
			`};`